
.'he material in this presentation is 
provided for information only. 

It represents my own personal views and 
may not be the views of my current or 
past employers. 

You should make up your own mind and 
take responsibility for your own actions. 



nteractive Question 



security recommendations ... but you've 
been ignored or overlooked? 

Answers: 

1. Yes, occasionally 

2. Yes, all/most of the time 

3. No, I don't have that problem 



-mmon problem: 

Most information security professionals 
lenerally know what appropriate controls 



are 



But sometimes business or ICT 
stakeholders don't want to implement 
them. 



Why does this happen? 



Costs money 

Reduced flexibility ... 
inconvenience 

Impacts ease of use 

Takes time to define, 
implement and 
maintain 

Some people don't 
want to think! 



Don't appreciate the 
risks involved 

Some implementers 
lack knowledge ... 
they don't know how 
... won't admit it 

Perceived as someone 
else's problem 




u.uence more effective/appropriate information 
security decisions by: 

Be more pragmatic .. 80-20 principle 

Using better communication skills & techniques 

Use risk assessments to highlight key issues and 
drive the decision making process 

• Use business accountability to your advantage 

• Leverage other assurance peers (if all else fails) 



Information security control frameworks are a good start 
... but don't follow them blindly 

Take the time to understand: 

- what are the key issues and risks 

- which controls are most critical 

- what is already "on track" ... don't have to worry about that! 

Don't recommend 12 controls, if 4 will suffice. 

Focus on the key issues ... don't sweat the small stuff 

Most organizations not after "best practice" ... 
only "good enough" practice 



3. Why communication skills? 



,urvey of CISOs: ... to be successful ... effective 
communications was one of the top 2 issues 

Like it or not, we are in the game of 
selling "bad news" 

Need to gain buy-in (business & ICT) as early as 
possible ... otherwise the game is lost 

Want to be perceived as a customer-focused 
enabler of business - ie "business friendly" 



'm yet to meet a business 
manager who, once they 
understood the implications, 
didn't support appropriate 
information security controls" 



Key points ... 



iNCE THEY UNDERSTOOD THE 

iPLI CATIONS ... 

Our job is to help business and ICT manager 
to understand 



"APPROPRIATE" ... controls 

Not "draconian" controls ... reasonable and 
appropriate controls 



Our job as 



Assume the business has no idea about the 
implications (not their area of expertise) 

Our job to communicate this to them: 

- in professional, business friendly ways ... 

- in simple language they can understand (avoid jargon 
where-ever possible) 

Need business to understand ... 

- That "bad things" can happen ... of a certain 
magnitude 

- Which can ADVERSELY IMPACT THEM 



When communicating .. 



Start with the basics ... make sure they know wha 
Information Security is actually about? 

Information Security aims to: 

Appropriately protect: 

- sensitive/confidential/private information, and 

- business-critical ICT environments & services 

Enable the organisation to more confidently innovate 
with ICT: 

- by better understanding & addressing risks to sensitive 
information and the ICT systems it resides in 

- particularly for business scenarios involving outsourcing / 
external hosting / "cloud computing" etc 




Sensitive information leaked into public 
domain 

Adverse community reaction and/or 

damage to organisation's reputation 

- Think Newspaper / A Current Affair 

Business-critical services reliant on ICT 
are degraded or not available 

Financial costs, fines or fraud 

Customers experience identity theft, 
financial fraud or cyber crimes 

Potential legal action 

The organisations senior manager/s 
'pants catch on fire' 



Some communications examples 

bad ones 



fou can't do tha, 

.Vhy not ... Don't understand the issues? 

Is this professional ... business prevention mode 

Business will probably go around you anyway 

pU must get my approval before you do 
anything" 

- Is this business friendly? 

- Need sufficient resources to respond ... can become a bottleneck 

- Still perceived as the security "nazi" 



Some communication ex 



... a little better 



iere are security and privacy implications" 

- Okay, but so what? 

- Still someone else's problem (SEP) ... should I care? 

nsitive personal customer information may be accessed 
Dy or disclosed to unauthorized parties" 

PA little better ... But still "so what" ... SEP? 
Still don't know the business impacts ... or magnitude 

has been assessed there is a 'high' risk that sensitive 
personal customer information may be accessed by or 
disclosed to unauthorized parties. Our organization is 
required to protect such information by federal/state 
privacy laws." 

- Getting better ... but what are the business impacts ... SEP? 



Some communication examples 
... nearly there 

't has been assessed there is a 'high' risk that sensitive personal 
customer information may be accessed by or disclosed to 
unauthorized parties. Our organization is required to protect such 
information by federal/state privacy laws. 

could result in adverse media coverage that causes: 

Damage to the organization's reputation and "corporate brand" 

Loss of existing customers or failure to attract new customers 

Financial costs and/or penalties including; managing the "data spill" 
itself, defending against potential law suits, reduced revenues & profits, 
lost market share, and falling share price / market capitalization (for 
publicly listed companies) .... estimated in the ballpark of 10% -40%. 

Furthermore, our customers could experience identity theft, instances 
of financial fraud and/or related cyber-crime." 

A lot better ... is more compelling ... but there's more! 



interactive Question 



ho should be responsible for accepting the 
"high" risk in the previous example? 

iswers: 

Its a risk ... the Company Risk Manager 

Its about ICT ... the CIO / ICT Manager 

Its about information security ... the CI SO / 
Information Security Manager 

It's a risk to business outcomes ... the relevant 
"Business Sponsor"/ Line-of-Business Manager 



. Business Accountability: 
A decision making model? 



. rom a governance perspective ... if a business 
manager is responsible and accountable for 
delivering a business function/service, and the 
risk will impact them ... 

Shouldn't they decide whether to accept the 
risk, or not, on the business' behalf? 

• My view: Yes. 

Use business accountability to your advantage 



Business-aligned "decision making" model 



The Information Security Manager (and team) provides 
information/I CT security risk advice 

- Advises on risks and potential risk mitigation options 

- Do not "approve" risks or make go/no-go decisions ... 

- But do facilitate appropriate risk acceptance by the company. 

• Some risks affect only one business unit - these are 
"business risks". 

• Some have wider implications to other business units or ICT 
networks/ systems - these are "enterprise ICT risks" 

The Business Sponsor should decide: 

- which "business risks" to accept on the organisation's behalf 

- balance this with wider business/project risks (eg schedule, cost) 

- what additional risk mitigators (ie controls) to fund 

The CIO (or their delegate) should decide: 

- what "enterprise ICT risks" to accept on the organisation's 
behalf 

- balance this with wider ICT risks, budgets and project risks 




d communication e 



: has been assessed there is a 'high' risk that sensitive personal 
customer information may be accessed by or disclosed to 
unauthorized parties. Our organization is required to protect such 
information by federal/state privacy laws. 

lis could result in adverse media coverage that causes: 
- Damage to the organization's reputation and "corporate brand" 

tLoss of existing customers or failure to attract new customers 
Financial costs and/or penalties including; managing the "data spill" 
itself, defending against potential law suits, reduced revenues & profits, 
lost market share, and falling share price / market capitalization (for 
publicly listed companies) .... estimated in the ballpark of 10% -40%. 

Furthermore, our customers could experience identity theft, instances 
of financial fraud and/or related cyber-crime. 

Since you are the business sponsor for this initiative, and are 

responsible and accountable for its outcomes, are you prepared to 
accept this risk on the organization's behalf?" 



A good communication example - 
leveraging business accountability 



i very compelling and persuasive case 

Aligns information security decisions with 
business needs and priorities 

Enables the information security team to get out 
of "business prevention" mode ... 

- We're not here to "stop you" or slow you down 

- We just want to ensure you're across some issues 
and risks you might not be aware of .... 



usiness Accountability 



Key "Take Away" 



People tend to be risk takers 
when someone else's 
backside is on the line ... 

They tend to be more 
risk averse, when their 
backside is on the line! 



This is how you influence effective information 
security decisions ... but it needs good risk 
management practices to work effectively 




5. Effective risk management 



-ne of the most critically important things to 
information security 

Use it sensibly (when you need it) to aid 
effective decision making 

Remember ... be pragmatic ... 80/20 principle 

Don't try to "boil the ocean" ...identify the key 
3-5ish issues first ... and risk assess them. 



Effective risk managemen 



Risk assessments are: approximations ... subjective 

The rely on know and unknown information, which 
presents challenges for some ICT security stakeholders 
who want "exact" answers 

- If risk was measured on a linear scale of 0-10 ... (which of 
course it is not) 

- Sometimes just need to say ... we're not quite sure but we think 
there's a risk here in the 7-9 ballpark 

- It gets the business to the table to discuss further 

You don't need to measure risk to 10 decimal points 

(ie 7.8345889323!!!) 



Effective risk management 



rview of the process ... current risk exposure = 
likelihood x impact - effectiveness of current controls 

Risk assessments need to be defendable and aligned (as 
close as is possible) to business needs. 

The business are normally experts on "business impact" 
... use a business impact assessment tool, and get the 
business to approve/endorse the outcomes. 

Information security team usually the experts on 
likelihood and effectiveness of current controls 



interactive Questi 



Fictitious Scenario: 

You discover that a business unit has been emailing 
private customer information to an external party, it 
has been going on for 12 months. 

What is the risk? 

The business determines the impact to be Major 
What is the likelihood it has been compromised? 

You decide, is it: 

1. Almost certain 2. Likely 

3. Possible 4. Unlikely 

5. Rare (ie very unlikely) 

Opinions vary!! 



Effective risk management 



Assessing likelihood: 

- Be sensible & reasonable ... not everything is "almost 
certain" to occur, or even "likely" ... don't "be Chicken 
Little. 

- Need to be realistic for the industry you're in. 
Remember, for "as is" situations: 

- The business will ask tough questions ... Hey, I've 
been doing this for a year already and nothing bad 
has happened 

- Why do you say it is "almost certain" this will occur? 

Do your homework, needs to be defendable 



ective risk manage; 



When presenting multiple risks: ... present them in 
severity order with the highest at the top 

Colour code risk severity in traffic-light style ... 

a manager's eye will be drawn to red, orange and/or 

yellow indicators 

If possible, develop agreed risk acceptance "delegations" 

Don't bother people about Low risk issues 

Present risk mitigation options ... people like options, 
they feel more in control 

Explain the risk remediation "journey" to stakeholders ... 
... hold their hand ... use pictures if necessary 




Leverage other As 



takeholders (if nece 



You can't win them all! 

Sometimes the business will accept the risks, 
and most of the time this is appropriate. 

So what should you do in scenarios where you 
feel that business risk acceptance is not 
appropriate? 

ANSWER - Leverage other "assurance 
stakeholders" 



Build relationships with them - help each other 

Most have similar interests - ie business risk 
management etc 

Some are well connected, and have the ear of 
senior management (even the CEO) 

Only use them when you really, really need it 

- They have their own jobs to do 

- They will lost interest if you use them too often 



'Correction" Strategies 



Notify Only 

Please be aware of this situation ... CC Business Spon: 

Still fairly "business friendly" 

Sometimes this is enough to get things back on track 



Request Their Opinion or I nvolvement 

Not as "business friendly" ... but occasionally necessary 

Do they agree with the decision? Do they think it is 
reasonable or appropriate? 

Do they want to discuss this issue with their superiors? 

Were they planning any audit/review activities in this space? 



. Summary 



Information Security professionals can influence more 
effective decision making within their organisations. 

Achieve this by: 

Being pragmatic ... identify the key issues ... use the 80- 
20 principle 

Better communication skills and techniques: 

Use risk assessments to support your case & drive 
decision making 

• Use business accountability to your advantage 

• Leverage assurance peers (where necessary) 



Summary 



- as information security professionals: 

Assume the business does not understand the 
implications (not their area of expertise) 

We need to communicate this to them: 

- in professional, business friendly ways ... 

- in simple jargon-free language they can understand 

That "bad things" can happen ... of a certain 
magnitude 

Which can ADVERSELY IMPACT THEM 



Caveats « 



Not a "silver bullet" 

Does require a little effort up front, but can save 
you effort in the long run 

Need to be patient, it takes some time to get 
critical mass and overcome misconceptions 

Need to become proficient at risk assessments 

Is more effective if the organisation already has 
some risk management practices 



Whatsin it for me (WIIFM) 



to regain your sanity ... stop swimmn. 
against the current 

You will become more effective and productive 
... people start following your recommendations 

Builds trust ... more likely to be engaged 

You end up making less of the "hard decisions" 
yourself ... so start sleeping well at night 

Enhances your professional reputation ... leads 
to increased career advancement opportunities 



